Security Tradeoffs in Cyber Law
This project (work in progress) will shed light on an inherent conflict of interest in cyber governance. In cyberspace, the government wears two hats at once. It is in charge of enhancing the nation’s cybersecurity, as when it creates regulation for cybersecurity standards or provides incident response services to critical infrastructure facilities. However, the government is also acting in a different guise as an actor that increases cyber risks and exploits weaknesses in software to advance other security goals. A conflict of interest arises because enhancing cybersecurity often clashes with exploiting cyberspace for other security goals. Whenever this happens, the government is required to engage in security-security tradeoffs. This project will empirically detail an institutional bias within the executive branch to prioritize its offensive responsibilities over the defensive and argue that the law should severely limit this practice. The claim, in short, is that as our life and economy become ever more dependent on cybersecurity, the merits of the tradeoff are changing dramatically and rapidly. Especially in the 5G era, society’s ability to tolerate cybersecurity risks is decreasing, and any intentional creation of such risks in pursuit of short-term, tactical security gains becomes almost always indefensible.
Checks and Balances in Cyberspace
As many aspects of our lives move to the digital sphere, so does the attention of the state. Government agencies are increasingly present in cyberspace - investigating crime, spying on foreign nations and extremist groups (while incidentally sweeping personal data of innocent internet users), monitoring harmful speech and cyber threats, etc. Scholarly accounts split between two narratives in an attempt to theorize government power in cyberspace: some scholars view the rise of cyberspace as the beginning of an era of awesome and unchecked state power, while others see signs of state decline. This academic debate has important practical implications. If the government is truly unchecked in this domain, it might pose a serious threat to liberty; if, on the other hand, it is challenged by other actors and overly constrained from fulfilling its responsibilities, then public law might be required to create new arrangements for empowering the relevant government bodies.
In “Checks and Balances in Cyberspace” (forthcoming in 54 Cornell International Law Journal, 2021), the author challenges the two controlling narratives, showing that existing scholarship rests on incomplete accounts of the forces that shape the digital sphere. Drawing on modern separation-of-powers theories, he maps out the extra-constitutional forces and institutions that together form the cyber checks and balances ecosystem. In this ecosystem government power cannot be viewed as a static concept. Rather, it is defined and bounded by a complex set of institutional relationships with forces and actors belonging to four main categories: international law, international politics, the architecture of cyberspace, and the private sector. Understanding how this ecosystem operates allows lawmakers, judges, and other gatekeepers to optimize their efforts in keeping the ‘cyber executive’ in check.
Digital Contact Tracing Has Failed: Can it be fixed with better legal design?
In “Digital Contact Tracing Has Failed: Can it be fixed with better legal design?” )forthcoming in 24 Virginia Journal of Law and Technology, 2021), the author critically examines the overlooked role of law in one of the major and most consequential failures of the response to the coronavirus pandemic— the inability of governments across the democratic world to effectively use data-driven technology for controlling the spread of the disease. As more scientific data is collected and analyzed, researchers come to agree that the failure of contact tracing systems was not inevitable, but a result of design and policy choices made by governments, developers, and technology companies. This essay analyzes these choices within the political and legal cultures in which they were made and demonstrates how they were driven by legal frameworks that are ill-suited for pandemic response. The essay illustrates how the law failed to provide policymakers appropriate conditions to rationally consider the harms and benefits of the technology. Based on this analysis and drawing from a survey of recently enacted pandemic legislation from around the world, it outlines a new framework for health-emergency law.